No Food for Thought

FOSS Security, and Transparency at the Linux Foundation

admin Saturday March 13, 2021

In December, the Linux Foundation released a report on its 2020 FOSS Contributor Survey. The most important and discussed takeaway was weakness in security (Need to Increase Security). At the core of that finding is that section's very first paragraph, which starts as follows.

Linux Foundation wrote:
One of the survey goals was to understand the state of security in FOSS, and indeed it found that respondents report spending very little of their time on responding to security issues (an average of 2.27% of their total time spent). Moreover, the respondents do not report a desire to increase this significantly; in fact, the average of percent of time reported they would like to spend on security was only 0.06% higher.

These figures are obviously eyebrow-raising. The flagrant error in the figure number right after in that same paragraph surely doesn't help trusting, so I checked. Unfortunately, the report gives no explanation at all about how these figures were computed. And I couldn't reproduce these figures interpreting survey data.

But my third surprise would be even greater. I checked what others were saying about the topic - and found nothing. Not because no one questioned or challenged, but because the Linux Foundation provides no means at all to report an issue in that report.

That is right. The report indicates it was updated to fix errors, but suggests no way to report remaining errors. And that's
just the tip of the iceberg; the Linux Foundation, in general, does not offer any system to track its issues. Nor does it even offer any forum to discuss such matters. Its tens of mailing lists are all project-specific. That, from an organization which suggests greater transparency, no further than in that very report… if FOSS is short on security, it sure isn't on irony!

The ultimate surprise would take a little longer. Having no other option, I questioned the foundation in the only possible way, via its contact form:

Regarding the Report on the 2020 FOSS Contributor Survey, how do you translate survey data into the figures in the first paragraph of section 2. Need to Increase Security (High-Level Takeaways & Suggested Actions, page 31)?

The form didn't even send me a copy of my message. But it said I would get a reply within 2 business days.

I have been waiting for 3 business weeks.

I will of course update this as soon as the Linux Foundation replies. But until the foundation is built on stronger foundations, none of its publications should be taken at face value.

Fully Free

Kune ni povos is seriously freethough not completely humor-free:

  • Free to read,
  • free to copy,
  • free to republish;
  • freely licensed.
  • Free from influenceOriginal content on Kune ni povos is created independently. KNP is entirely funded by its freethinker-in-chief and author, and does not receive any more funding from any corporation, government or think tank, or any other entity, whether private or public., advertisement-free
  • Calorie-free*But also recipe-free
  • Disinformation-free, stupidity-free
  • Bias-free, opinion-free*OK, feel free to disagree on the latter.
  • Powered by a free CMS...
  • ...running on a free OS...
  • ...hosted on a server sharedby a great friend for free